Microsoft to hackers: Break our Azure Sphere Linux IoT OS and earn up to $100k

Microsoft puts up a $100,000 bounty for critical bugs affecting its Linux-based OS for Azure Sphere.

Microsoft has launched the Azure Sphere Research Challenge, offering approved security researchers individual rewards of up to $100,000 for dangerous exploits that break the security of Azure Sphere, its Linux-based platform for internet-connected (IoT) devices.

Azure Sphere consists of a custom Linux kernel and OS, a connected microcontroller, and a cloud-based security service that ensures IoT devices like fridges and washing machines can be updated and maintained remotely with protections against denial-of-service attacks and rogue software updates.

Azure Sphere reached general availability in February, and now Microsoft is ready to let select hackers probe its Linux-based OS for vulnerabilities.

The Azure Sphere Research Challenge is an expansion of Azure Security Lab, announced at Black Hat in August 2019 with a top reward of $40,000.

The duration of the new challenge is three months and offers the top reward of $100,000 to researchers who can execute code on Azure Pluton and Azure Secure World.

The Azure Sphere application platform features Normal World, the Linux equivalent of user mode, and Secure World, which sits below Microsoft’s custom Linux kernel and is where the Security Monitor runs. Only Microsoft-supplied code can run in supervisor mode or in Secure World, Microsoft notes.

Security bugs found outside the challenge’s scope, such as in the cloud portion of the Azure Sphere platform, could be granted awards under the public Azure Bounty Program. Physical attacks are out of the scope of both the challenge and the Azure Bounty Program.

Microsoft will supply approved researchers an Azure Sphere development kit, access to Microsoft products and services for research purposes, Azure Sphere product documentation, and direct communication channels with the Microsoft team.

“By expanding the Azure Security Lab, we’re providing more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud,” Microsoft notes.

Microsoft is also tapping skills at several security firms with expertise in IoT security research, including Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco’s Talos team, ESET, FireEye, F-Secure Corporation, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.

Researchers need to submit an application form to Microsoft before May 15, 2020. Microsoft will review applications each week and notify accepted researchers by email.

This Azure Sphere Research Challenge runs from June 1, 2020 through August 31, 2020.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x